Release/v3 (#33)

henrinormak · web-flow · commit 6f44a85664d3 · 2016-12-31T00:14:15.000+02:00
* Don't overwrite Error object in tests Instead of overwriting the default Error object with Foundation's custom error object, name that one FoundationError. * Fix assertion of Error equality Two errors with different messages and/or names will no longer be asserted as equal. * Add test for error assertion * Enforce bearer auth scheme (#32) * Require Bearer prefix for auth token * Make Bearer check case insensitive * Fix tests * Add test for missing Bearer prefix error * Update docs with information about Bearer requirement * Fix style error
diff --git a/README.md b/README.md
@@ -27,7 +27,7 @@ var Auth = require('lambda-foundation').authentication;
 
 ### Authentication
 
-Authentication is an asynchronous process, that assumes the event contains a value under the `authorization` key. This value could be a pure OAuth token or it could be a full header (with type prefix). The API returns a promise that fails if the context is not properly authenticated. Upon success, the promise resolves the token into its claims, which in general contain a `sub`, `exp` and `iat` keys as per the [JWT spec](http://jwt.io/introduction/).
+Authentication is an asynchronous process, that assumes the event contains a value under the `authorization` key. This value must be an OAuth Bearer token, as defined in [RFC 6750](https://tools.ietf.org/html/rfc6750). The API returns a promise that fails if the context is not properly authenticated. Upon success, the promise resolves the token into its claims, which in general contain a `sub`, `exp` and `iat` keys as per the [JWT spec](http://jwt.io/introduction/).
 
 ```js
 var Auth = require('lambda-foundation').authentication;
diff --git a/lib/authentication/index.js b/lib/authentication/index.js
@@ -36,11 +36,9 @@ module.exports = {
      * @throws if token is invalid
      */
     isValidToken: function(token) {
-        if (!token) {
+        if (!token || !_.startsWith(token.toUpperCase(), 'BEARER')) {
             throw new Error('401', 'Invalid token');
-        }
-
-        if (_.startsWith(token, 'Bearer')) {
+        } else {
             token = token.substring(6).trim();
         }
 
diff --git a/lib/test/context.js b/lib/test/context.js
@@ -72,7 +72,12 @@ module.exports = {
             fail: function(err) {
                 t.ok(true, 'Context finished with failure');
                 if (expected) {
-                    t.same(err, expected, 'Context failed with expected result');
+                    if (err instanceof Error && err.name !== 'LambdaError') {
+                        t.same(err.name, expected.name, 'Context failed with expected error type');
+                        t.same(err.message, expected.message, 'Context failed with expected error message');
+                    } else {
+                        t.same(err, expected, 'Context failed with expected result');
+                    }
                 }
                 if(cb) {
                     cb(err);
diff --git a/lib/test/event.js b/lib/test/event.js
@@ -28,7 +28,7 @@ module.exports = function (extras){
             payload = _.isString(payload) ? {sub: payload} : payload;
 
             return _.merge(
-                { authorization: jwt.sign(payload, secret) },
+                { authorization: 'Bearer ' + jwt.sign(payload, secret) },
                 properties
             );
         },
diff --git a/test/authentication-test.js b/test/authentication-test.js
@@ -34,7 +34,7 @@ tape.test('If invalid token then return 401', function(t) {
 tape.test('If valid token then return decoded token', function(t) {
 
     try {
-        const decoded = auth.isValidToken('eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJ0ZXN0QHRlc3QuY29tIiwic2NvcGUiOlsidGVzdGVyIl19.ZzBZRdxQHFemCW2TwwFRn8Jk-uWt-OLtsi6O5pWpM34');
+        const decoded = auth.isValidToken('Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJ0ZXN0QHRlc3QuY29tIiwic2NvcGUiOlsidGVzdGVyIl19.ZzBZRdxQHFemCW2TwwFRn8Jk-uWt-OLtsi6O5pWpM34');
         t.equal(decoded.sub, 'test@test.com');
         t.end();
     } catch (err) {
@@ -71,7 +71,7 @@ tape.test('If valid token with altered secret then return decoded token', functi
 tape.test('If valid token with Bearer keyword then return decoded token', function(t) {
 
     try {
-        const decoded = auth.isValidToken('Bearer ' + 'eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJ0ZXN0QHRlc3QuY29tIiwic2NvcGUiOlsidGVzdGVyIl19.ZzBZRdxQHFemCW2TwwFRn8Jk-uWt-OLtsi6O5pWpM34');
+        const decoded = auth.isValidToken('Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJ0ZXN0QHRlc3QuY29tIiwic2NvcGUiOlsidGVzdGVyIl19.ZzBZRdxQHFemCW2TwwFRn8Jk-uWt-OLtsi6O5pWpM34');
         t.equal(decoded.sub, 'test@test.com');
         t.end();
     } catch (err) {
@@ -163,7 +163,7 @@ tape.test('if valid token and valid scope then resolve decoded token', function(
         ]
     };
 
-    const authPromise = auth.authenticate('eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJ0ZXN0QHRlc3QuY29tIiwic2NvcGUiOlsidGVzdGVyIl19.ZzBZRdxQHFemCW2TwwFRn8Jk-uWt-OLtsi6O5pWpM34', {
+    const authPromise = auth.authenticate('Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJ0ZXN0QHRlc3QuY29tIiwic2NvcGUiOlsidGVzdGVyIl19.ZzBZRdxQHFemCW2TwwFRn8Jk-uWt-OLtsi6O5pWpM34', {
         scope: ['admin'],
         rule: auth.RULE.NONE
     });
@@ -179,7 +179,7 @@ tape.test('if valid token and valid scope then resolve decoded token', function(
 
 tape.test('if invalid token and valid scope then reject', function(t) {
 
-    const authPromise = auth.authenticate('eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJ0ZXN0QHRlc3QuY29tIiwic2NvcGUiOlsidGVzdGVyIl19.ZzBZRdxQHFemCW2TwwFRn8Jk-uWt-OLtsi6O5pWpM34' + 'foo', {
+    const authPromise = auth.authenticate('Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJ0ZXN0QHRlc3QuY29tIiwic2NvcGUiOlsidGVzdGVyIl19.ZzBZRdxQHFemCW2TwwFRn8Jk-uWt-OLtsi6O5pWpM34' + 'foo', {
         scope: ['tester'],
         rule: auth.RULE.NONE
     });
@@ -196,7 +196,7 @@ tape.test('if invalid token and valid scope then reject', function(t) {
 
 tape.test('if valid token and invalid scope then reject', function(t) {
 
-    const authPromise = auth.authenticate('eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJ0ZXN0QHRlc3QuY29tIiwic2NvcGUiOlsidGVzdGVyIl19.ZzBZRdxQHFemCW2TwwFRn8Jk-uWt-OLtsi6O5pWpM34', {
+    const authPromise = auth.authenticate('Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJ0ZXN0QHRlc3QuY29tIiwic2NvcGUiOlsidGVzdGVyIl19.ZzBZRdxQHFemCW2TwwFRn8Jk-uWt-OLtsi6O5pWpM34', {
         scope: ['admin']
     });
 
@@ -209,3 +209,15 @@ tape.test('if valid token and invalid scope then reject', function(t) {
         t.end();
     });
 });
+
+tape.test('if Bearer prefix is missing then reject', function(t) {
+    try {
+        auth.isValidToken('eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJ0ZXN0QHRlc3QuY29tIiwic2NvcGUiOlsidGVzdGVyIl19.ZzBZRdxQHFemCW2TwwFRn8Jk-uWt-OLtsi6O5pWpM34');
+
+        t.fail('didn\'t throw error');
+        t.end();
+    } catch (err) {
+        t.equal(err.code, '401');
+        t.end();
+    }
+});
diff --git a/test/event-test.js b/test/event-test.js
@@ -2,6 +2,7 @@
 const tape = require('tape');
 const Event = require('../lib/test/event');
 const jwt = require('jsonwebtoken');
+const auth = require('../lib/authentication');
 
 tape.test('Should return authorized event with default secret', function(t) {
 
@@ -10,7 +11,7 @@ tape.test('Should return authorized event with default secret', function(t) {
     t.ok(event.authorization, 'Event has authorization defined');
 
     try {
-        jwt.verify(event.authorization, 'default_secret');
+        auth.isValidToken(event.authorization);
     } catch(err) {
         t.fail('Unable to verify token');
     }
@@ -20,16 +21,20 @@ tape.test('Should return authorized event with default secret', function(t) {
 
 tape.test('Should return authorized event with custom secret', function(t) {
 
-    const event = Event().authorized(null, 'secret');
+    const testSecret = 'some-secret';
+    
+    const event = Event().authorized(null, testSecret);
 
     t.ok(event.authorization, 'Event has authorization defined');
 
     try {
-        jwt.verify(event.authorization, 'secret');
+        auth.config({ secret: testSecret });
+        auth.isValidToken(event.authorization);
     } catch(err) {
         t.fail('Unable to verify token');
     }
     t.same(event, {authorization: event.authorization}, 'Authorized event returned');
+    auth.config({ secret: undefined }); // teardown because following tests use `default_secret`
     t.end();
 });
 
@@ -41,7 +46,7 @@ tape.test('Should return authorized event with email payload', function(t) {
     t.ok(event.authorization, 'Event has authorization defined');
 
     try {
-        const decoded = jwt.verify(event.authorization, 'default_secret');
+        const decoded = auth.isValidToken(event.authorization);
         t.same(decoded, {iat: decoded.iat, sub: 'tester@testlio.com'});
     } catch(err) {
         t.fail('Unable to verify token');
@@ -58,7 +63,7 @@ tape.test('Should return authorized event', function(t) {
     t.ok(event.authorization, 'Event has authorization defined');
 
     try {
-        const decoded = jwt.verify(event.authorization, 'default_secret');
+        const decoded = auth.isValidToken(event.authorization);
         t.same(decoded, {iat: decoded.iat, sub: 'tester@testlio.com', scopes: ['admin']});
     } catch(err) {
         t.fail('Unable to verify token');
@@ -74,7 +79,7 @@ tape.test('Should return authorized event with extra properties', function(t) {
     t.ok(event.authorization, 'Event has authorization defined');
 
     try {
-        const decoded = jwt.verify(event.authorization, 'default_secret');
+        const decoded = auth.isValidToken(event.authorization);
         t.same(decoded, {iat: decoded.iat});
     } catch(err) {
         t.fail('Unable to verify token');
diff --git a/test/mock-context-test.js b/test/mock-context-test.js
@@ -1,5 +1,5 @@
 const tape = require('tape');
-const Error = require('../lib/error');
+const FoundationError = require('../lib/error');
 const Context = require('../lib/test/context');
 
 tape.test('Should succeed with expected result provided', function(t) {
@@ -25,35 +25,47 @@ tape.test('Should succeed with callback provided', function(t) {
 });
 
 tape.test('Should fail with expected error provided', function(t) {
-    const mock = Context.assertFail(t, new Error('999', 'Expected error'));
+    const mock = Context.assertFail(t, new FoundationError('999', 'Expected error'));
     t.plan(2);
-    mock.fail(new Error('999', 'Expected error'));
+    mock.fail(new FoundationError('999', 'Expected error'));
 });
 
 tape.test('Should fail with expected error and callback provided', function(t) {
-    const mock = Context.assertFail(t, new Error('999', 'Expected error'), function(error) {
-        t.same(error, new Error('999', 'Expected error'), 'Callback called');
+    const mock = Context.assertFail(t, new FoundationError('999', 'Expected error'), function(error) {
+        t.same(error, new FoundationError('999', 'Expected error'), 'Callback called');
     });
     t.plan(3);
-    mock.fail(new Error('999', 'Expected error'));
+    mock.fail(new FoundationError('999', 'Expected error'));
 });
 
 tape.test('Should fail with expected error and callback provided', function(t) {
     const mock = Context.assertFail(t, function(error) {
-        t.same(error, new Error('999', 'Expected error'), 'Callback called');
+        t.same(error, new FoundationError('999', 'Expected error'), 'Callback called');
     });
     t.plan(2);
-    mock.fail(new Error('999', 'Expected error'));
+    mock.fail(new FoundationError('999', 'Expected error'));
 });
 
 tape.test('Should succeed with done called', function(t) {
-    const mock = Context.assertFail(t, new Error('999', 'Expected error'));
+    const mock = Context.assertFail(t, new FoundationError('999', 'Expected error'));
     t.plan(2);
-    mock.done(new Error('999', 'Expected error'));
+    mock.done(new FoundationError('999', 'Expected error'));
 });
 
 tape.test('Should succeed with done called', function(t) {
     const mock = Context.assertSucceed(t, {result:"result"});
     t.plan(2);
     mock.done(null, {result:"result"});
 });
+
+tape.test('Should assert that two identical vanilla errors are equal', function(t) {
+    const mock = Context.assertFail(t, new Error('Expected error'));
+    mock.fail(new Error('Expected error'));
+});
+
+tape.test('Should fail assertion if two vanilla errors are not the same', function(t) {
+    t.same = t.notSame; // inverse assertion behaviour in context to show that its assertion did fail
+    const mock = Context.assertFail(t, new Error('Expected error'));
+    // mock is set to fail with error of different message and type, meaning that similarity assertion by Context should fail
+    mock.fail(new RangeError('Unexpected error'));
+});
